[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
"Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?)
Given that NGS Software participated in Microsoft's Security Development
Lifecycle  and your paper is already being referenced by Microsoft
employees , the following question should be addressed to ensure the
comparison is fair:
Did NGS Software find any bugs in a version of SQL Server mentioned in
the paper (7, 2005, and 2005) during a private security audit which were
disclosed to Microsoft and fixed without being mentioned in a Microsoft
If the answer is yes, then it produces two problems pertaining to the
1. It (quite significantly) skews the NGS Software comparison paper in
favor of Microsoft. Reason: Several (the vast majority?) of the Oracle
vulnerabilities mentioned in the paper were found by NGS Software, and
similar Microsoft SQL Server vulnerabilities NGS Software found were
2. There is a conflict of interest. Reason: NGS Software has an interest
in SQL Server appearing to be more secure (lest it would reflect poorly
on NGS Software's auditing capabilities).
Further if the answer is yes, NGS Software vulnerabilities found in
Oracle subsequent to the NGS Software's first security audit of SQL
Server should be excluded from this comparison.
If the answer is no, then disregard my comments. Just verifying!
 "Windows Vista Security Testing"
 "Which Database is More Secure? Oracle vs Microsoft"
From: David Litchfield [mailto:davidl@xxxxxxxxxxxxxxx]
Sent: Monday, November 20, 2006 8:28 PM
To: bugtraq@xxxxxxxxxxxxxxxxx; dbsec@xxxxxxxxxxxxx
Subject: Which is more secure? Oracle vs. Microsoft
What started out as a fun project for me turned out some serious results
"Which is more secure? Oracle vs Microsoft" is a paper I put together
looking at the number of security flaws in the Oracle and MS database
offerings. For those that are interested, you can grab a copy of the